1KDC.CONF(5) MIT Kerberos KDC.CONF(5)
2
3
4
6 kdc.conf - Kerberos V5 KDC configuration file
7
8 The kdc.conf file supplements krb5.conf(5) for programs which are typi‐
9 cally only used on a KDC, such as the krb5kdc(8) and kadmind(8) daemons
10 and the kdb5_util(8) program. Relations documented here may also be
11 specified in krb5.conf; for the KDC programs mentioned, krb5.conf and
12 kdc.conf will be merged into a single configuration profile.
13
14 Normally, the kdc.conf file is found in the KDC state directory,
15 /var/kerberos/krb5kdc. You can override the default location by set‐
16 ting the environment variable KRB5_KDC_PROFILE.
17
18 Please note that you need to restart the KDC daemon for any configura‐
19 tion changes to take effect.
20
22 The kdc.conf file is set up in the same format as the krb5.conf(5)
23 file.
24
26 The kdc.conf file may contain the following sections:
27
28 ┌──────────────┬────────────────────────────┐
29 │[kdcdefaults] │ Default values for KDC │
30 │ │ behavior │
31 ├──────────────┼────────────────────────────┤
32 │[realms] │ Realm-specific database │
33 │ │ configuration and settings │
34 ├──────────────┼────────────────────────────┤
35 │[dbdefaults] │ Default database settings │
36 ├──────────────┼────────────────────────────┤
37 │[dbmodules] │ Per-database settings │
38 ├──────────────┼────────────────────────────┤
39 │[logging] │ Controls how Kerberos dae‐ │
40 │ │ mons perform logging │
41 └──────────────┴────────────────────────────┘
42
43 [kdcdefaults]
44 Some relations in the [kdcdefaults] section specify default values for
45 realm variables, to be used if the [realms] subsection does not contain
46 a relation for the tag. See the [realms] section for the definitions
47 of these relations.
48
49 · host_based_services
50
51 · kdc_listen
52
53 · kdc_ports
54
55 · kdc_tcp_listen
56
57 · kdc_tcp_ports
58
59 · no_host_referral
60
61 · restrict_anonymous_to_tgt
62
63 The following [kdcdefaults] variables have no per-realm equivalent:
64
65 kdc_max_dgram_reply_size
66 Specifies the maximum packet size that can be sent over UDP.
67 The default value is 4096 bytes.
68
69 kdc_tcp_listen_backlog
70 (Integer.) Set the size of the listen queue length for the KDC
71 daemon. The value may be limited by OS settings. The default
72 value is 5.
73
74 spake_preauth_kdc_challenge
75 (String.) Specifies the group for a SPAKE optimistic challenge.
76 See the spake_preauth_groups variable in libdefaults for possi‐
77 ble values. The default is not to issue an optimistic chal‐
78 lenge. (New in release 1.17.)
79
80 [realms]
81 Each tag in the [realms] section is the name of a Kerberos realm. The
82 value of the tag is a subsection where the relations define KDC parame‐
83 ters for that particular realm. The following example shows how to
84 define one parameter for the ATHENA.MIT.EDU realm:
85
86 [realms]
87 ATHENA.MIT.EDU = {
88 max_renewable_life = 7d 0h 0m 0s
89 }
90
91 The following tags may be specified in a [realms] subsection:
92
93 acl_file
94 (String.) Location of the access control list file that kad‐
95 mind(8) uses to determine which principals are allowed which
96 permissions on the Kerberos database. To operate without an ACL
97 file, set this relation to the empty string with acl_file = "".
98 The default value is /var/kerberos/krb5kdc/kadm5.acl. For more
99 information on Kerberos ACL file see kadm5.acl(5).
100
101 database_module
102 (String.) This relation indicates the name of the configuration
103 section under [dbmodules] for database-specific parameters used
104 by the loadable database library. The default value is the
105 realm name. If this configuration section does not exist,
106 default values will be used for all database parameters.
107
108 database_name
109 (String, deprecated.) This relation specifies the location of
110 the Kerberos database for this realm, if the DB2 module is being
111 used and the [dbmodules] configuration section does not specify
112 a database name. The default value is /var/ker‐
113 beros/krb5kdc/principal.
114
115 default_principal_expiration
116 (abstime string.) Specifies the default expiration date of
117 principals created in this realm. The default value is 0, which
118 means no expiration date.
119
120 default_principal_flags
121 (Flag string.) Specifies the default attributes of principals
122 created in this realm. The format for this string is a
123 comma-separated list of flags, with '+' before each flag that
124 should be enabled and '-' before each flag that should be dis‐
125 abled. The postdateable, forwardable, tgt-based, renewable,
126 proxiable, dup-skey, allow-tickets, and service flags default to
127 enabled.
128
129 There are a number of possible flags:
130
131 allow-tickets
132 Enabling this flag means that the KDC will issue tickets
133 for this principal. Disabling this flag essentially
134 deactivates the principal within this realm.
135
136 dup-skey
137 Enabling this flag allows the KDC to issue user-to-user
138 service tickets for this principal.
139
140 forwardable
141 Enabling this flag allows the principal to obtain for‐
142 wardable tickets.
143
144 hwauth If this flag is enabled, then the principal is required
145 to preauthenticate using a hardware device before receiv‐
146 ing any tickets.
147
148 no-auth-data-required
149 Enabling this flag prevents PAC or AD-SIGNEDPATH data
150 from being added to service tickets for the principal.
151
152 ok-as-delegate
153 If this flag is enabled, it hints the client that creden‐
154 tials can and should be delegated when authenticating to
155 the service.
156
157 ok-to-auth-as-delegate
158 Enabling this flag allows the principal to use S4USelf
159 tickets.
160
161 postdateable
162 Enabling this flag allows the principal to obtain post‐
163 dateable tickets.
164
165 preauth
166 If this flag is enabled on a client principal, then that
167 principal is required to preauthenticate to the KDC
168 before receiving any tickets. On a service principal,
169 enabling this flag means that service tickets for this
170 principal will only be issued to clients with a TGT that
171 has the preauthenticated bit set.
172
173 proxiable
174 Enabling this flag allows the principal to obtain proxy
175 tickets.
176
177 pwchange
178 Enabling this flag forces a password change for this
179 principal.
180
181 pwservice
182 If this flag is enabled, it marks this principal as a
183 password change service. This should only be used in
184 special cases, for example, if a user's password has
185 expired, then the user has to get tickets for that prin‐
186 cipal without going through the normal password authenti‐
187 cation in order to be able to change the password.
188
189 renewable
190 Enabling this flag allows the principal to obtain renew‐
191 able tickets.
192
193 service
194 Enabling this flag allows the the KDC to issue service
195 tickets for this principal. In release 1.17 and later,
196 user-to-user service tickets are still allowed if the
197 dup-skey flag is set.
198
199 tgt-based
200 Enabling this flag allows a principal to obtain tickets
201 based on a ticket-granting-ticket, rather than repeating
202 the authentication process that was used to obtain the
203 TGT.
204
205 dict_file
206 (String.) Location of the dictionary file containing strings
207 that are not allowed as passwords. The file should contain one
208 string per line, with no additional whitespace. If none is
209 specified or if there is no policy assigned to the principal, no
210 dictionary checks of passwords will be performed.
211
212 encrypted_challenge_indicator
213 (String.) Specifies the authentication indicator value that the
214 KDC asserts into tickets obtained using FAST encrypted challenge
215 pre-authentication. New in 1.16.
216
217 host_based_services
218 (Whitespace- or comma-separated list.) Lists services which
219 will get host-based referral processing even if the server prin‐
220 cipal is not marked as host-based by the client.
221
222 iprop_enable
223 (Boolean value.) Specifies whether incremental database propa‐
224 gation is enabled. The default value is false.
225
226 iprop_master_ulogsize
227 (Integer.) Specifies the maximum number of log entries to be
228 retained for incremental propagation. The default value is
229 1000. Prior to release 1.11, the maximum value was 2500.
230
231 iprop_replica_poll
232 (Delta time string.) Specifies how often the replica KDC polls
233 for new updates from the master. The default value is 2m (that
234 is, two minutes). New in release 1.17.
235
236 iprop_slave_poll
237 (Delta time string.) The name for iprop_replica_poll prior to
238 release 1.17. Its value is used as a fallback if
239 iprop_replica_poll is not specified.
240
241 iprop_listen
242 (Whitespace- or comma-separated list.) Specifies the iprop RPC
243 listening addresses and/or ports for the kadmind(8) daemon.
244 Each entry may be an interface address, a port number, or an
245 address and port number separated by a colon. If the address
246 contains colons, enclose it in square brackets. If no address
247 is specified, the wildcard address is used. If kadmind fails to
248 bind to any of the specified addresses, it will fail to start.
249 The default (when iprop_enable is true) is to bind to the wild‐
250 card address at the port specified in iprop_port. New in
251 release 1.15.
252
253 iprop_port
254 (Port number.) Specifies the port number to be used for incre‐
255 mental propagation. When iprop_enable is true, this relation is
256 required in the replica KDC configuration file, and this rela‐
257 tion or iprop_listen is required in the master configuration
258 file, as there is no default port number. Port numbers speci‐
259 fied in iprop_listen entries will override this port number for
260 the kadmind(8) daemon.
261
262 iprop_resync_timeout
263 (Delta time string.) Specifies the amount of time to wait for a
264 full propagation to complete. This is optional in configuration
265 files, and is used by replica KDCs only. The default value is 5
266 minutes (5m). New in release 1.11.
267
268 iprop_logfile
269 (File name.) Specifies where the update log file for the realm
270 database is to be stored. The default is to use the data‐
271 base_name entry from the realms section of the krb5 config file,
272 with .ulog appended. (NOTE: If database_name isn't specified in
273 the realms section, perhaps because the LDAP database back end
274 is being used, or the file name is specified in the [dbmodules]
275 section, then the hard-coded default for database_name is used.
276 Determination of the iprop_logfile default value will not use
277 values from the [dbmodules] section.)
278
279 kadmind_listen
280 (Whitespace- or comma-separated list.) Specifies the kadmin RPC
281 listening addresses and/or ports for the kadmind(8) daemon.
282 Each entry may be an interface address, a port number, or an
283 address and port number separated by a colon. If the address
284 contains colons, enclose it in square brackets. If no address
285 is specified, the wildcard address is used. If kadmind fails to
286 bind to any of the specified addresses, it will fail to start.
287 The default is to bind to the wildcard address at the port spec‐
288 ified in kadmind_port, or the standard kadmin port (749). New
289 in release 1.15.
290
291 kadmind_port
292 (Port number.) Specifies the port on which the kadmind(8) dae‐
293 mon is to listen for this realm. Port numbers specified in kad‐
294 mind_listen entries will override this port number. The
295 assigned port for kadmind is 749, which is used by default.
296
297 key_stash_file
298 (String.) Specifies the location where the master key has been
299 stored (via kdb5_util stash). The default is /var/ker‐
300 beros/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.
301
302 kdc_listen
303 (Whitespace- or comma-separated list.) Specifies the UDP lis‐
304 tening addresses and/or ports for the krb5kdc(8) daemon. Each
305 entry may be an interface address, a port number, or an address
306 and port number separated by a colon. If the address contains
307 colons, enclose it in square brackets. If no address is speci‐
308 fied, the wildcard address is used. If no port is specified,
309 the standard port (88) is used. If the KDC daemon fails to bind
310 to any of the specified addresses, it will fail to start. The
311 default is to bind to the wildcard address on the standard port.
312 New in release 1.15.
313
314 kdc_ports
315 (Whitespace- or comma-separated list, deprecated.) Prior to
316 release 1.15, this relation lists the ports for the krb5kdc(8)
317 daemon to listen on for UDP requests. In release 1.15 and
318 later, it has the same meaning as kdc_listen if that relation is
319 not defined.
320
321 kdc_tcp_listen
322 (Whitespace- or comma-separated list.) Specifies the TCP lis‐
323 tening addresses and/or ports for the krb5kdc(8) daemon. Each
324 entry may be an interface address, a port number, or an address
325 and port number separated by a colon. If the address contains
326 colons, enclose it in square brackets. If no address is speci‐
327 fied, the wildcard address is used. If no port is specified,
328 the standard port (88) is used. To disable listening on TCP,
329 set this relation to the empty string with kdc_tcp_listen = "".
330 If the KDC daemon fails to bind to any of the specified
331 addresses, it will fail to start. The default is to bind to the
332 wildcard address on the standard port. New in release 1.15.
333
334 kdc_tcp_ports
335 (Whitespace- or comma-separated list, deprecated.) Prior to
336 release 1.15, this relation lists the ports for the krb5kdc(8)
337 daemon to listen on for UDP requests. In release 1.15 and
338 later, it has the same meaning as kdc_tcp_listen if that rela‐
339 tion is not defined.
340
341 kpasswd_listen
342 (Comma-separated list.) Specifies the kpasswd listening
343 addresses and/or ports for the kadmind(8) daemon. Each entry
344 may be an interface address, a port number, or an address and
345 port number separated by a colon. If the address contains
346 colons, enclose it in square brackets. If no address is speci‐
347 fied, the wildcard address is used. If kadmind fails to bind to
348 any of the specified addresses, it will fail to start. The
349 default is to bind to the wildcard address at the port specified
350 in kpasswd_port, or the standard kpasswd port (464). New in
351 release 1.15.
352
353 kpasswd_port
354 (Port number.) Specifies the port on which the kadmind(8) dae‐
355 mon is to listen for password change requests for this realm.
356 Port numbers specified in kpasswd_listen entries will override
357 this port number. The assigned port for password change
358 requests is 464, which is used by default.
359
360 master_key_name
361 (String.) Specifies the name of the principal associated with
362 the master key. The default is K/M.
363
364 master_key_type
365 (Key type string.) Specifies the master key's key type. The
366 default value for this is aes256-cts-hmac-sha1-96. For a list
367 of all possible values, see Encryption types.
368
369 max_life
370 (duration string.) Specifies the maximum time period for which
371 a ticket may be valid in this realm. The default value is 24
372 hours.
373
374 max_renewable_life
375 (duration string.) Specifies the maximum time period during
376 which a valid ticket may be renewed in this realm. The default
377 value is 0.
378
379 no_host_referral
380 (Whitespace- or comma-separated list.) Lists services to block
381 from getting host-based referral processing, even if the client
382 marks the server principal as host-based or the service is also
383 listed in host_based_services. no_host_referral = * will dis‐
384 able referral processing altogether.
385
386 des_crc_session_supported
387 (Boolean value). If set to true, the KDC will assume that ser‐
388 vice principals support des-cbc-crc for session key enctype
389 negotiation purposes. If allow_weak_crypto in libdefaults is
390 false, or if des-cbc-crc is not a permitted enctype, then this
391 variable has no effect. Defaults to true. New in release 1.11.
392
393 reject_bad_transit
394 (Boolean value.) If set to true, the KDC will check the list of
395 transited realms for cross-realm tickets against the transit
396 path computed from the realm names and the capaths section of
397 its krb5.conf(5) file; if the path in the ticket to be issued
398 contains any realms not in the computed path, the ticket will
399 not be issued, and an error will be returned to the client
400 instead. If this value is set to false, such tickets will be
401 issued anyways, and it will be left up to the application server
402 to validate the realm transit path.
403
404 If the disable-transited-check flag is set in the incoming
405 request, this check is not performed at all. Having the
406 reject_bad_transit option will cause such ticket requests to be
407 rejected always.
408
409 This transit path checking and config file option currently
410 apply only to TGS requests.
411
412 The default value is true.
413
414 restrict_anonymous_to_tgt
415 (Boolean value.) If set to true, the KDC will reject ticket
416 requests from anonymous principals to service principals other
417 than the realm's ticket-granting service. This option allows
418 anonymous PKINIT to be enabled for use as FAST armor tickets
419 without allowing anonymous authentication to services. The
420 default value is false. New in release 1.9.
421
422 spake_preauth_indicator
423 (String.) Specifies an authentication indicator value that the
424 KDC asserts into tickets obtained using SPAKE pre-authentica‐
425 tion. The default is not to add any indicators. This option
426 may be specified multiple times. New in release 1.17.
427
428 supported_enctypes
429 (List of key:salt strings.) Specifies the default key/salt com‐
430 binations of principals for this realm. Any principals created
431 through kadmin(1) will have keys of these types. The default
432 value for this tag is aes256-cts-hmac-sha1-96:normal
433 aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arc‐
434 four-hmac-md5:normal. For lists of possible values, see Keysalt
435 lists.
436
437 [dbdefaults]
438 The [dbdefaults] section specifies default values for some database
439 parameters, to be used if the [dbmodules] subsection does not contain a
440 relation for the tag. See the [dbmodules] section for the definitions
441 of these relations.
442
443 · ldap_kerberos_container_dn
444
445 · ldap_kdc_dn
446
447 · ldap_kdc_sasl_authcid
448
449 · ldap_kdc_sasl_authzid
450
451 · ldap_kdc_sasl_mech
452
453 · ldap_kdc_sasl_realm
454
455 · ldap_kadmind_dn
456
457 · ldap_kadmind_sasl_authcid
458
459 · ldap_kadmind_sasl_authzid
460
461 · ldap_kadmind_sasl_mech
462
463 · ldap_kadmind_sasl_realm
464
465 · ldap_service_password_file
466
467 · ldap_servers
468
469 · ldap_conns_per_server
470
471 [dbmodules]
472 The [dbmodules] section contains parameters used by the KDC database
473 library and database modules. Each tag in the [dbmodules] section is
474 the name of a Kerberos realm or a section name specified by a realm's
475 database_module parameter. The following example shows how to define
476 one database parameter for the ATHENA.MIT.EDU realm:
477
478 [dbmodules]
479 ATHENA.MIT.EDU = {
480 disable_last_success = true
481 }
482
483 The following tags may be specified in a [dbmodules] subsection:
484
485 database_name
486 This DB2-specific tag indicates the location of the database in
487 the filesystem. The default is /var/kerberos/krb5kdc/principal.
488
489 db_library
490 This tag indicates the name of the loadable database module.
491 The value should be db2 for the DB2 module, klmdb for the LMDB
492 module, or kldap for the LDAP module.
493
494 disable_last_success
495 If set to true, suppresses KDC updates to the "Last successful
496 authentication" field of principal entries requiring preauthen‐
497 tication. Setting this flag may improve performance. (Princi‐
498 pal entries which do not require preauthentication never update
499 the "Last successful authentication" field.). First introduced
500 in release 1.9.
501
502 disable_lockout
503 If set to true, suppresses KDC updates to the "Last failed
504 authentication" and "Failed password attempts" fields of princi‐
505 pal entries requiring preauthentication. Setting this flag may
506 improve performance, but also disables account lockout. First
507 introduced in release 1.9.
508
509 ldap_conns_per_server
510 This LDAP-specific tag indicates the number of connections to be
511 maintained per LDAP server.
512
513 ldap_kdc_dn and ldap_kadmind_dn
514 These LDAP-specific tags indicate the default DN for binding to
515 the LDAP server. The krb5kdc(8) daemon uses ldap_kdc_dn, while
516 the kadmind(8) daemon and other administrative programs use
517 ldap_kadmind_dn. The kadmind DN must have the rights to read
518 and write the Kerberos data in the LDAP database. The KDC DN
519 must have the same rights, unless disable_lockout and dis‐
520 able_last_success are true, in which case it only needs to have
521 rights to read the Kerberos data. These tags are ignored if a
522 SASL mechanism is set with ldap_kdc_sasl_mech or ldap_kad‐
523 mind_sasl_mech.
524
525 ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech
526 These LDAP-specific tags specify the SASL mechanism (such as
527 EXTERNAL) to use when binding to the LDAP server. New in
528 release 1.13.
529
530 ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid
531 These LDAP-specific tags specify the SASL authentication iden‐
532 tity to use when binding to the LDAP server. Not all SASL mech‐
533 anisms require an authentication identity. If the SASL mecha‐
534 nism requires a secret (such as the password for DIGEST-MD5),
535 these tags also determine the name within the ldap_service_pass‐
536 word_file where the secret is stashed. New in release 1.13.
537
538 ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid
539 These LDAP-specific tags specify the SASL authorization identity
540 to use when binding to the LDAP server. In most circumstances
541 they do not need to be specified. New in release 1.13.
542
543 ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm
544 These LDAP-specific tags specify the SASL realm to use when
545 binding to the LDAP server. In most circumstances they do not
546 need to be set. New in release 1.13.
547
548 ldap_kerberos_container_dn
549 This LDAP-specific tag indicates the DN of the container object
550 where the realm objects will be located.
551
552 ldap_servers
553 This LDAP-specific tag indicates the list of LDAP servers that
554 the Kerberos servers can connect to. The list of LDAP servers
555 is whitespace-separated. The LDAP server is specified by a LDAP
556 URI. It is recommended to use ldapi: or ldaps: URLs to connect
557 to the LDAP server.
558
559 ldap_service_password_file
560 This LDAP-specific tag indicates the file containing the stashed
561 passwords (created by kdb5_ldap_util stashsrvpw) for the
562 ldap_kdc_dn and ldap_kadmind_dn objects, or for the
563 ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid names for
564 SASL authentication. This file must be kept secure.
565
566 mapsize
567 This LMDB-specific tag indicates the maximum size of the two
568 database environments in megabytes. The default value is 128.
569 Increase this value to address "Environment mapsize limit
570 reached" errors. New in release 1.17.
571
572 max_readers
573 This LMDB-specific tag indicates the maximum number of concur‐
574 rent reading processes for the databases. The default value is
575 128. New in release 1.17.
576
577 nosync This LMDB-specific tag can be set to improve the throughput of
578 kadmind and other administrative agents, at the expense of dura‐
579 bility (recent database changes may not survive a power outage
580 or other sudden reboot). It does not affect the throughput of
581 the KDC. The default value is false. New in release 1.17.
582
583 unlockiter
584 If set to true, this DB2-specific tag causes iteration opera‐
585 tions to release the database lock while processing each princi‐
586 pal. Setting this flag to true can prevent extended blocking of
587 KDC or kadmin operations when dumps of large databases are in
588 progress. First introduced in release 1.13.
589
590 The following tag may be specified directly in the [dbmodules] section
591 to control where database modules are loaded from:
592
593 db_module_dir
594 This tag controls where the plugin system looks for database
595 modules. The value should be an absolute path.
596
597 [logging]
598 The [logging] section indicates how krb5kdc(8) and kadmind(8) perform
599 logging. It may contain the following relations:
600
601 admin_server
602 Specifies how kadmind(8) performs logging.
603
604 kdc Specifies how krb5kdc(8) performs logging.
605
606 default
607 Specifies how either daemon performs logging in the absence of
608 relations specific to the daemon.
609
610 debug (Boolean value.) Specifies whether debugging messages are
611 included in log outputs other than SYSLOG. Debugging messages
612 are always included in the system log output because syslog per‐
613 forms its own priority filtering. The default value is false.
614 New in release 1.15.
615
616 Logging specifications may have the following forms:
617
618 FILE=filename or FILE:filename
619 This value causes the daemon's logging messages to go to the
620 filename. If the = form is used, the file is overwritten. If
621 the : form is used, the file is appended to.
622
623 STDERR This value causes the daemon's logging messages to go to its
624 standard error stream.
625
626 CONSOLE
627 This value causes the daemon's logging messages to go to the
628 console, if the system supports it.
629
630 DEVICE=<devicename>
631 This causes the daemon's logging messages to go to the specified
632 device.
633
634 SYSLOG[:severity[:facility]]
635 This causes the daemon's logging messages to go to the system
636 log.
637
638 For backward compatibility, a severity argument may be speci‐
639 fied, and must be specified in order to specify a facility.
640 This argument will be ignored.
641
642 The facility argument specifies the facility under which the
643 messages are logged. This may be any of the following facili‐
644 ties supported by the syslog(3) call minus the LOG_ prefix:
645 KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, and
646 LOCAL0 through LOCAL7. If no facility is specified, the default
647 is AUTH.
648
649 In the following example, the logging messages from the KDC will go to
650 the console and to the system log under the facility LOG_DAEMON with
651 default severity of LOG_INFO; and the logging messages from the admin‐
652 istrative server will be appended to the file /var/adm/kadmin.log and
653 sent to the device /dev/tty04.
654
655 [logging]
656 kdc = CONSOLE
657 kdc = SYSLOG:INFO:DAEMON
658 admin_server = FILE:/var/adm/kadmin.log
659 admin_server = DEVICE=/dev/tty04
660
661 [otp]
662 Each subsection of [otp] is the name of an OTP token type. The tags
663 within the subsection define the configuration required to forward a
664 One Time Password request to a RADIUS server.
665
666 For each token type, the following tags may be specified:
667
668 server This is the server to send the RADIUS request to. It can be a
669 hostname with optional port, an ip address with optional port,
670 or a Unix domain socket address. The default is /var/ker‐
671 beros/krb5kdc/<name>.socket.
672
673 secret This tag indicates a filename (which may be relative to
674 /var/kerberos/krb5kdc) containing the secret used to encrypt the
675 RADIUS packets. The secret should appear in the first line of
676 the file by itself; leading and trailing whitespace on the line
677 will be removed. If the value of server is a Unix domain socket
678 address, this tag is optional, and an empty secret will be used
679 if it is not specified. Otherwise, this tag is required.
680
681 timeout
682 An integer which specifies the time in seconds during which the
683 KDC should attempt to contact the RADIUS server. This tag is
684 the total time across all retries and should be less than the
685 time which an OTP value remains valid for. The default is 5
686 seconds.
687
688 retries
689 This tag specifies the number of retries to make to the RADIUS
690 server. The default is 3 retries (4 tries).
691
692 strip_realm
693 If this tag is true, the principal without the realm will be
694 passed to the RADIUS server. Otherwise, the realm will be
695 included. The default value is true.
696
697 indicator
698 This tag specifies an authentication indicator to be included in
699 the ticket if this token type is used to authenticate. This
700 option may be specified multiple times. (New in release 1.14.)
701
702 In the following example, requests are sent to a remote server via UDP:
703
704 [otp]
705 MyRemoteTokenType = {
706 server = radius.mydomain.com:1812
707 secret = SEmfiajf42$
708 timeout = 15
709 retries = 5
710 strip_realm = true
711 }
712
713 An implicit default token type named DEFAULT is defined for when the
714 per-principal configuration does not specify a token type. Its config‐
715 uration is shown below. You may override this token type to something
716 applicable for your situation:
717
718 [otp]
719 DEFAULT = {
720 strip_realm = false
721 }
722
724 NOTE:
725 The following are pkinit-specific options. These values may be
726 specified in [kdcdefaults] as global defaults, or within a
727 realm-specific subsection of [realms]. Also note that a realm-spe‐
728 cific value over-rides, does not add to, a generic [kdcdefaults]
729 specification. The search order is:
730
731 1. realm-specific subsection of [realms]:
732
733 [realms]
734 EXAMPLE.COM = {
735 pkinit_anchors = FILE:/usr/local/example.com.crt
736 }
737
738 2. generic value in the [kdcdefaults] section:
739
740 [kdcdefaults]
741 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
742
743 For information about the syntax of some of these options, see Specify‐
744 ing PKINIT identity information in krb5.conf(5).
745
746 pkinit_anchors
747 Specifies the location of trusted anchor (root) certificates
748 which the KDC trusts to sign client certificates. This option
749 is required if pkinit is to be supported by the KDC. This
750 option may be specified multiple times.
751
752 pkinit_dh_min_bits
753 Specifies the minimum number of bits the KDC is willing to
754 accept for a client's Diffie-Hellman key. The default is 2048.
755
756 pkinit_allow_upn
757 Specifies that the KDC is willing to accept client certificates
758 with the Microsoft UserPrincipalName (UPN) Subject Alternative
759 Name (SAN). This means the KDC accepts the binding of the UPN
760 in the certificate to the Kerberos principal name. The default
761 value is false.
762
763 Without this option, the KDC will only accept certificates with
764 the id-pkinit-san as defined in RFC 4556. There is currently no
765 option to disable SAN checking in the KDC.
766
767 pkinit_eku_checking
768 This option specifies what Extended Key Usage (EKU) values the
769 KDC is willing to accept in client certificates. The values
770 recognized in the kdc.conf file are:
771
772 kpClientAuth
773 This is the default value and specifies that client cer‐
774 tificates must have the id-pkinit-KPClientAuth EKU as
775 defined in RFC 4556.
776
777 scLogin
778 If scLogin is specified, client certificates with the Mi‐
779 crosoft Smart Card Login EKU (id-ms-kp-sc-logon) will be
780 accepted.
781
782 none If none is specified, then client certificates will not
783 be checked to verify they have an acceptable EKU. The
784 use of this option is not recommended.
785
786 pkinit_identity
787 Specifies the location of the KDC's X.509 identity information.
788 This option is required if pkinit is to be supported by the KDC.
789
790 pkinit_indicator
791 Specifies an authentication indicator to include in the ticket
792 if pkinit is used to authenticate. This option may be specified
793 multiple times. (New in release 1.14.)
794
795 pkinit_pool
796 Specifies the location of intermediate certificates which may be
797 used by the KDC to complete the trust chain between a client's
798 certificate and a trusted anchor. This option may be specified
799 multiple times.
800
801 pkinit_revoke
802 Specifies the location of Certificate Revocation List (CRL)
803 information to be used by the KDC when verifying the validity of
804 client certificates. This option may be specified multiple
805 times.
806
807 pkinit_require_crl_checking
808 The default certificate verification process will always check
809 the available revocation information to see if a certificate has
810 been revoked. If a match is found for the certificate in a CRL,
811 verification fails. If the certificate being verified is not
812 listed in a CRL, or there is no CRL present for its issuing CA,
813 and pkinit_require_crl_checking is false, then verification suc‐
814 ceeds.
815
816 However, if pkinit_require_crl_checking is true and there is no
817 CRL information available for the issuing CA, then verification
818 fails.
819
820 pkinit_require_crl_checking should be set to true if the policy
821 is such that up-to-date CRLs must be present for every CA.
822
823 pkinit_require_freshness
824 Specifies whether to require clients to include a freshness
825 token in PKINIT requests. The default value is false. (New in
826 release 1.17.)
827
829 Any tag in the configuration files which requires a list of encryption
830 types can be set to some combination of the following strings. Encryp‐
831 tion types marked as "weak" are available for compatibility but not
832 recommended for use.
833
834 ┌───────────────────────────┬─────────────────────────────┐
835 │des-cbc-crc │ DES cbc mode with CRC-32 │
836 │ │ (weak) │
837 ├───────────────────────────┼─────────────────────────────┤
838 │des-cbc-md4 │ DES cbc mode with RSA-MD4 │
839 │ │ (weak) │
840 ├───────────────────────────┼─────────────────────────────┤
841 │des-cbc-md5 │ DES cbc mode with RSA-MD5 │
842 │ │ (weak) │
843 ├───────────────────────────┼─────────────────────────────┤
844 │des-cbc-raw │ DES cbc mode raw (weak) │
845 ├───────────────────────────┼─────────────────────────────┤
846 │des3-cbc-raw │ Triple DES cbc mode raw │
847 │ │ (weak) │
848 ├───────────────────────────┼─────────────────────────────┤
849 │des3-cbc-sha1 │ Triple DES cbc mode with │
850 │des3-hmac-sha1 │ HMAC/sha1 │
851 │des3-cbc-sha1-kd │ │
852 ├───────────────────────────┼─────────────────────────────┤
853 │des-hmac-sha1 │ DES with HMAC/sha1 (weak) │
854 ├───────────────────────────┼─────────────────────────────┤
855 │aes256-cts-hmac-sha1-96 │ AES-256 CTS mode with │
856 │aes256-cts aes256-sha1 │ 96-bit SHA-1 HMAC │
857 ├───────────────────────────┼─────────────────────────────┤
858 │aes128-cts-hmac-sha1-96 │ AES-128 CTS mode with │
859 │aes128-cts aes128-sha1 │ 96-bit SHA-1 HMAC │
860 ├───────────────────────────┼─────────────────────────────┤
861 │aes256-cts-hmac-sha384-192 │ AES-256 CTS mode with │
862 │aes256-sha2 │ 192-bit SHA-384 HMAC │
863 ├───────────────────────────┼─────────────────────────────┤
864 │aes128-cts-hmac-sha256-128 │ AES-128 CTS mode with │
865 │aes128-sha2 │ 128-bit SHA-256 HMAC │
866 ├───────────────────────────┼─────────────────────────────┤
867 │arcfour-hmac rc4-hmac arc‐ │ RC4 with HMAC/MD5 │
868 │four-hmac-md5 │ │
869 ├───────────────────────────┼─────────────────────────────┤
870 │arcfour-hmac-exp │ Exportable RC4 with │
871 │rc4-hmac-exp arc‐ │ HMAC/MD5 (weak) │
872 │four-hmac-md5-exp │ │
873 ├───────────────────────────┼─────────────────────────────┤
874 │camellia256-cts-cmac │ Camellia-256 CTS mode with │
875 │camellia256-cts │ CMAC │
876 ├───────────────────────────┼─────────────────────────────┤
877 │camellia128-cts-cmac │ Camellia-128 CTS mode with │
878 │camellia128-cts │ CMAC │
879 ├───────────────────────────┼─────────────────────────────┤
880 │des │ The DES family: │
881 │ │ des-cbc-crc, des-cbc-md5, │
882 │ │ and des-cbc-md4 (weak) │
883 ├───────────────────────────┼─────────────────────────────┤
884 │des3 │ The triple DES family: │
885 │ │ des3-cbc-sha1 │
886 ├───────────────────────────┼─────────────────────────────┤
887 │aes │ The AES family: │
888 │ │ aes256-cts-hmac-sha1-96, │
889 │ │ aes128-cts-hmac-sha1-96, │
890 │ │ aes256-cts-hmac-sha384-192, │
891 │ │ and │
892 │ │ aes128-cts-hmac-sha256-128 │
893 └───────────────────────────┴─────────────────────────────┘
894
895
896
897 │rc4 │ The RC4 family: arc‐ │
898 │ │ four-hmac │
899 ├───────────────────────────┼─────────────────────────────┤
900 │camellia │ The Camellia family: camel‐ │
901 │ │ lia256-cts-cmac and camel‐ │
902 │ │ lia128-cts-cmac │
903 └───────────────────────────┴─────────────────────────────┘
904
905 The string DEFAULT can be used to refer to the default set of types for
906 the variable in question. Types or families can be removed from the
907 current list by prefixing them with a minus sign ("-"). Types or fami‐
908 lies can be prefixed with a plus sign ("+") for symmetry; it has the
909 same meaning as just listing the type or family. For example, "DEFAULT
910 -des" would be the default set of encryption types with DES types
911 removed, and "des3 DEFAULT" would be the default set of encryption
912 types with triple DES types moved to the front.
913
914 While aes128-cts and aes256-cts are supported for all Kerberos opera‐
915 tions, they are not supported by very old versions of our GSSAPI imple‐
916 mentation (krb5-1.3.1 and earlier). Services running versions of krb5
917 without AES support must not be given keys of these encryption types in
918 the KDC database.
919
920 The aes128-sha2 and aes256-sha2 encryption types are new in release
921 1.15. Services running versions of krb5 without support for these
922 newer encryption types must not be given keys of these encryption types
923 in the KDC database.
924
926 Kerberos keys for users are usually derived from passwords. Kerberos
927 commands and configuration parameters that affect generation of keys
928 take lists of enctype-salttype ("keysalt") pairs, known as keysalt
929 lists. Each keysalt pair is an enctype name followed by a salttype
930 name, in the format enc:salt. Individual keysalt list members are sep‐
931 arated by comma (",") characters or space characters. For example:
932
933 kadmin -e aes256-cts:normal,aes128-cts:normal
934
935 would start up kadmin so that by default it would generate pass‐
936 word-derived keys for the aes256-cts and aes128-cts encryption types,
937 using a normal salt.
938
939 To ensure that people who happen to pick the same password do not have
940 the same key, Kerberos 5 incorporates more information into the key
941 using something called a salt. The supported salt types are as fol‐
942 lows:
943
944 ┌──────────┬────────────────────────────┐
945 │normal │ default for Kerberos Ver‐ │
946 │ │ sion 5 │
947 ├──────────┼────────────────────────────┤
948 │v4 │ the only type used by Ker‐ │
949 │ │ beros Version 4 (no salt) │
950 ├──────────┼────────────────────────────┤
951 │norealm │ same as the default, with‐ │
952 │ │ out using realm informa‐ │
953 │ │ tion │
954 ├──────────┼────────────────────────────┤
955 │onlyrealm │ uses only realm informa‐ │
956 │ │ tion as the salt │
957 ├──────────┼────────────────────────────┤
958 │afs3 │ AFS version 3, only used │
959 │ │ for compatibility with │
960 │ │ Kerberos 4 in AFS │
961 ├──────────┼────────────────────────────┤
962 │special │ generate a random salt │
963 └──────────┴────────────────────────────┘
964
966 Here's an example of a kdc.conf file:
967
968 [kdcdefaults]
969 kdc_listen = 88
970 kdc_tcp_listen = 88
971 [realms]
972 ATHENA.MIT.EDU = {
973 kadmind_port = 749
974 max_life = 12h 0m 0s
975 max_renewable_life = 7d 0h 0m 0s
976 master_key_type = aes256-cts-hmac-sha1-96
977 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
978 database_module = openldap_ldapconf
979 }
980
981 [logging]
982 kdc = FILE:/usr/local/var/krb5kdc/kdc.log
983 admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
984
985 [dbdefaults]
986 ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
987
988 [dbmodules]
989 openldap_ldapconf = {
990 db_library = kldap
991 disable_last_success = true
992 ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
993 # this object needs to have read rights on
994 # the realm container and principal subtrees
995 ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
996 # this object needs to have read and write rights on
997 # the realm container and principal subtrees
998 ldap_service_password_file = /etc/kerberos/service.keyfile
999 ldap_servers = ldaps://kerberos.mit.edu
1000 ldap_conns_per_server = 5
1001 }
1002
1004 /var/kerberos/krb5kdc/kdc.conf
1005
1007 krb5.conf(5), krb5kdc(8), kadm5.acl(5)
1008
1010 MIT
1011
1013 1985-2019, MIT
1014
1015
1016
1017
10181.17 KDC.CONF(5)